formbook | 3fc300b0b16fefb8d0dc08f09803d7dbff6be6ea2a4c87833fb285499a3fc6f0

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
16/05/2023, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO610008532.exe
Size

2.0MB
MD5

b7dc4b65e6239c0d20bcb4b59f5c644c
SHA1

e166cebfa0fb6e9e04f64f2f61dca71b49ef9e44
SHA256

3fc300b0b16fefb8d0dc08f09803d7dbff6be6ea2a4c87833fb285499a3fc6f0
SHA512

851b73419737a32ce06701e1d5ecbc32be6a5777709460a81afdc92d2b8ca322ae3fd93650610959f7921b41ae5ef99d2859a9949918f94fe4a673b759ed2607
SSDEEP

12288:D/cOS13ZjYXegrTuXXlC+pEXdOMnmfVWWd8wWDOZQgOxwr:afPWDOZQ

Score

10^/10

formbook wm23 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

wm23

Decoy

ntjhe.com

180yq.com

bcxlb.com

haefelinger.net

bkwbroadcasting.com

kastraestates.co.uk

ayasca.com

89spa.com

denizmobile-com-tr.net

5nrb3v.site

dewi.africa

darnacme.online

satovsky.rsvp

deluxhomefurnishings.com

igminitruckersolingen.com

celtictransportie.com

deltakrian.com

bassettsrestauranttogo.com

digitalcharts.xyz

glassbong.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/2036-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/576-74-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/576-76-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
692	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 2036	2004	PO610008532.exe	28
PID 2036 set thread context of 1272	2036	PO610008532.exe	16
PID 576 set thread context of 1272	576	help.exe	16

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe
2004	PO610008532.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2036	PO610008532.exe
2036	PO610008532.exe
2036	PO610008532.exe
576	help.exe
576	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	PO610008532.exe
Token: SeDebugPrivilege	2036	PO610008532.exe
Token: SeDebugPrivilege	576	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 2036	2004	PO610008532.exe	28
PID 2004 wrote to memory of 2036	2004	PO610008532.exe	28
PID 2004 wrote to memory of 2036	2004	PO610008532.exe	28
PID 2004 wrote to memory of 2036	2004	PO610008532.exe	28
PID 2004 wrote to memory of 2036	2004	PO610008532.exe	28
PID 2004 wrote to memory of 2036	2004	PO610008532.exe	28
PID 2004 wrote to memory of 2036	2004	PO610008532.exe	28
PID 1272 wrote to memory of 576	1272	Explorer.EXE	29
PID 1272 wrote to memory of 576	1272	Explorer.EXE	29
PID 1272 wrote to memory of 576	1272	Explorer.EXE	29
PID 1272 wrote to memory of 576	1272	Explorer.EXE	29
PID 576 wrote to memory of 692	576	help.exe	30
PID 576 wrote to memory of 692	576	help.exe	30
PID 576 wrote to memory of 692	576	help.exe	30
PID 576 wrote to memory of 692	576	help.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\PO610008532.exe
  "C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\PO610008532.exe
    "C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PO610008532.exe"
    3⤵
    - Deletes itself
    PID:692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-79-0x0000000000620000-0x00000000006B3000-memory.dmp

Filesize
588KB

Download
memory/576-76-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/576-75-0x00000000007B0000-0x0000000000AB3000-memory.dmp

Filesize
3.0MB

Download
memory/576-74-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/576-73-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/576-72-0x0000000000310000-0x0000000000316000-memory.dmp

Filesize
24KB

Download
memory/1272-71-0x0000000004EB0000-0x0000000004F86000-memory.dmp

Filesize
856KB

Download
memory/1272-84-0x00000000068E0000-0x00000000069BC000-memory.dmp

Filesize
880KB

Download
memory/1272-81-0x00000000068E0000-0x00000000069BC000-memory.dmp

Filesize
880KB

Download
memory/1272-80-0x00000000068E0000-0x00000000069BC000-memory.dmp

Filesize
880KB

Download
memory/1272-78-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/2004-60-0x00000000005C0000-0x00000000005DA000-memory.dmp

Filesize
104KB

Download
memory/2004-54-0x00000000012C0000-0x00000000014BC000-memory.dmp

Filesize
2.0MB

Download
memory/2004-55-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2004-56-0x0000000000240000-0x000000000028A000-memory.dmp

Filesize
296KB

Download
memory/2004-66-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2004-65-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2004-57-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/2004-58-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2004-59-0x0000000004D50000-0x0000000004D90000-memory.dmp

Filesize
256KB

Download
memory/2004-61-0x00000000004B0000-0x00000000004B6000-memory.dmp

Filesize
24KB

Download
memory/2036-70-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/2036-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2036-69-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/2036-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download